Feature #35439 » 0001-Option-to-require-2FA-authentication-only-for-users-.patch
app/models/user.rb | ||
---|---|---|
386 | 386 |
def must_activate_twofa? |
387 | 387 |
( |
388 | 388 |
Setting.twofa_required? || |
389 |
(Setting.twofa_optional? && groups.any?(&:twofa_required?)) |
|
389 |
( |
|
390 |
Setting.twofa_optional? && ( |
|
391 |
groups.any?(&:twofa_required?) || |
|
392 |
(Setting.twofa_required_for_administrators? && self.admin) |
|
393 |
) |
|
394 |
) |
|
390 | 395 |
) && !twofa_active? |
391 | 396 |
end |
392 | 397 |
app/views/settings/_authentication.html.erb | ||
---|---|---|
37 | 37 |
<%= t 'twofa_hint_optional_html', label: t(:label_optional) -%><br/> |
38 | 38 |
<%= t 'twofa_hint_required_html', label: t(:label_required_lower) -%> |
39 | 39 |
</em> |
40 |
<span id="twofa_optional" class="<%= "hidden" unless Setting.twofa == "1" %>"> |
|
41 |
<label class="block"> |
|
42 |
<%= setting_check_box :twofa_required_for_administrators, label: false %> |
|
43 |
<%= l(:setting_twofa_required_for_administrators) %> |
|
44 |
</label> |
|
45 |
</span> |
|
40 | 46 |
</p> |
41 | 47 | |
42 | 48 |
</div> |
... | ... | |
54 | 60 | |
55 | 61 |
<%= submit_tag l(:button_save) %> |
56 | 62 |
<% end %> |
63 | ||
64 |
<%= javascript_tag do %> |
|
65 |
$('#settings_twofa').on('change', function(e){ |
|
66 |
const twofa = e.target.value; |
|
67 |
const parent_block = document.getElementById("twofa_optional"); |
|
68 | ||
69 |
if (twofa == "1") { |
|
70 |
parent_block.classList.remove('hidden'); |
|
71 |
} else { |
|
72 |
parent_block.classList.add('hidden'); |
|
73 |
} |
|
74 |
}); |
|
75 |
<% end %> |
config/locales/en.yml | ||
---|---|---|
508 | 508 |
setting_show_status_changes_in_mail_subject: Show status changes in issue mail notifications subject |
509 | 509 |
setting_project_list_defaults: Projects list defaults |
510 | 510 |
setting_twofa: Two-factor authentication |
511 |
setting_twofa_required_for_administrators: Require two-factor authentication for administrators |
|
511 | 512 | |
512 | 513 |
permission_add_project: Create project |
513 | 514 |
permission_add_subprojects: Create subprojects |
config/settings.yml | ||
---|---|---|
37 | 37 |
twofa: |
38 | 38 |
default: 1 |
39 | 39 |
security_notifications: 1 |
40 |
twofa_required_for_administrators: |
|
41 |
default: 0 |
|
42 |
security_notifications: 1 |
|
40 | 43 |
unsubscribe: |
41 | 44 |
default: 1 |
42 | 45 |
password_required_char_classes: |
test/integration/twofa_test.rb | ||
---|---|---|
31 | 31 |
end |
32 | 32 |
end |
33 | 33 | |
34 |
test "should require twofa setup when required for administrators" do |
|
35 |
user = User.find_by_login 'admin' |
|
36 |
assert_not user.must_activate_twofa? |
|
37 | ||
38 |
with_settings twofa: "0", twofa_required_for_administrators: "1" do |
|
39 |
assert_not Setting.twofa_optional? |
|
40 |
assert_not Setting.twofa_required? |
|
41 |
assert_not user.must_activate_twofa? |
|
42 |
end |
|
43 | ||
44 |
with_settings twofa: "1", twofa_required_for_administrators: "1" do |
|
45 |
assert Setting.twofa_optional? |
|
46 |
assert_not Setting.twofa_required? |
|
47 |
assert user.must_activate_twofa? |
|
48 |
log_user('admin', 'admin') |
|
49 |
follow_redirect! |
|
50 |
assert_redirected_to "/my/twofa/totp/activate/confirm" |
|
51 |
end |
|
52 |
end |
|
53 | ||
34 | 54 |
test "should require twofa setup when required by group" do |
35 | 55 |
user = User.find_by_login 'jsmith' |
36 | 56 |
assert_not user.must_activate_twofa? |